RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
ProxyPreserveHost On

RewriteEngine on
# redirect the top / level to the catalog.
RewriteRule ^/$ https://%{SERVER_NAME}/v2/_catalog [R]

ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}

# Only pull from v1
<Location /v1/>
  <Limit GET HEAD>
    Require all granted
  </Limit>
  <Limit POST PUT DELETE>
    Require all denied
  </Limit>
</Location>

# And disallow the fallback for v1 auth
<Location /v1/users/>
  Require all denied
</Location>

# We require auth on /v2/ exactly to make sure that docker realizes it needs to
# send a username/password.
<Location /v2/>
  AuthName "Candidate Registry Authentication"
  AuthType Basic
  AuthUserFile /etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd

  <RequireAny>
    Require valid-user
    <RequireAll>
      Require not ip 10.3
      # This require is because otherwise apache thinks the Require not ip is useless
      Require method GET
    </RequireAll>
  </RequireAny>
</Location>

# But we allow random pulling by anyone without auth
<LocationMatch "/v2/.+">
  # Anyone can read
  <Limit GET HEAD>
    Require all granted
  </Limit>

  # Write access to docker-deployer only
  <Limit POST PUT DELETE>
    Require valid-user
  </Limit>

</LocationMatch>
